fix application properties for embedded csp (#637)

LabKey · Dec 8, 2023 · 33399ab · 33399ab
1 parent 2d1adca
commit 33399ab
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 29 deletions.
diff --git a/server/configs/application.properties b/server/configs/application.properties
@@ -78,10 +78,8 @@ spring.main.banner-mode=off
 # example usage 1 - very strict, disallows 'external' websites, disallows unsafe-inline, but only reports violations (does not enforce)
 # good for test automation!
 
-#csp.disposition=report
-#csp.policy="default-src 'self' https: ;\nconnect-src 'self' https: ;\nobject-src 'none' ;\nstyle-src 'self' https: 'unsafe-inline' ;\nimg-src 'self' data: ;\nscript-src 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' 'nonce-${REQUEST.SCRIPT.NONCE}';\nbase-uri 'self' ;\nupgrade-insecure-requests ;\nframe-ancestors 'self' ;\nreport-to /labkey/admin-contentsecuritypolicyreport.api ;\nreport-uri /labkey/admin-contentsecuritypolicyreport.api ;"
+csp.report="default-src 'self' https: ;\nconnect-src 'self' https: ;\nobject-src 'none' ;\nstyle-src 'self' https: 'unsafe-inline' ;\nimg-src 'self' data: ;\nscript-src 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' 'nonce-${REQUEST.SCRIPT.NONCE}';\nbase-uri 'self' ;\nupgrade-insecure-requests ;\nframe-ancestors 'self' ;\nreport-to /labkey/admin-contentsecuritypolicyreport.api ;\nreport-uri /labkey/admin-contentsecuritypolicyreport.api ;"
 
 # example usage 2 - less strict but enforces directives, (NOTE: unsafe-inline is still required for many modules)
 
-#csp.disposition=enforce
-#csp.policy="default-src 'self' https: ;\nconnect-src 'self' https: ;\nobject-src 'none' ;\nstyle-src 'self' https: 'unsafe-inline' ;\nimg-src 'self' data: ;\nscript-src 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' 'nonce-${REQUEST.SCRIPT.NONCE}';\nbase-uri 'self' ;\nupgrade-insecure-requests ;\nframe-ancestors 'self' ;\nreport-to /labkey/admin-contentsecuritypolicyreport.api ;\nreport-uri /labkey/admin-contentsecuritypolicyreport.api ;"
+csp.enforce="default-src 'self' https: ;\nconnect-src 'self' https: ;\nobject-src 'none' ;\nstyle-src 'self' https: 'unsafe-inline' ;\nimg-src 'self' data: ;\nscript-src 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' 'nonce-${REQUEST.SCRIPT.NONCE}';\nbase-uri 'self' ;\nupgrade-insecure-requests ;\nframe-ancestors 'self' ;\nreport-to /labkey/admin-contentsecuritypolicyreport.api ;\nreport-uri /labkey/admin-contentsecuritypolicyreport.api ;"
diff --git a/server/embedded/src/org/labkey/embedded/LabKeyServer.java b/server/embedded/src/org/labkey/embedded/LabKeyServer.java
@@ -45,7 +45,8 @@ public class LabKeyServer
     private static final String MAX_WAIT_MILLIS_DEFAULT = "120000";
     private static final String ACCESS_TO_CONNECTION_ALLOWED_DEFAULT = "true";
     private static final String VALIDATION_QUERY_DEFAULT = "SELECT 1";
-    private static final String CSP_FILTER_NAME = "ContentSecurityPolicyFilter";
+    private static final String REPORT_CSP_FILTER_NAME = "ReportContentSecurityPolicyFilter";
+    private static final String ENFORCE_CSP_FILTER_NAME = "EnforceContentSecurityPolicyFilter";
 
     public static void main(String[] args)
     {
@@ -124,22 +125,14 @@ protected TomcatWebServer getTomcatWebServer(Tomcat tomcat)
                     StandardContext context = (StandardContext) tomcat.addWebapp("/labkey", webAppLocation);
                     CSPFilterProperties cspFilterProperties = cspSource();
 
-                    if (cspFilterProperties.getDisposition() != null && cspFilterProperties.getPolicy() != null)
+                    if (cspFilterProperties.getEnforce() != null)
                     {
-                        FilterDef filterDef = new FilterDef();
-                        filterDef.setFilterName(CSP_FILTER_NAME);
-                        filterDef.setFilter(new ContentSecurityPolicyFilter());
-                        filterDef.addInitParameter("policy", cspFilterProperties.getPolicy());
-                        filterDef.addInitParameter("disposition", cspFilterProperties.getDisposition());
-
-                        FilterMap filterMap = new FilterMap();
-                        filterMap.setFilterName(CSP_FILTER_NAME);
-                        filterMap.addURLPattern("/*");
-
-                        context.addFilterDef(filterDef);
-                        context.addFilterMap(filterMap);
+                        addCSPFilter("enforce", cspFilterProperties.getEnforce(), ENFORCE_CSP_FILTER_NAME ,context);
+                    }
+                    if (cspFilterProperties.getReport() != null)
+                    {
+                        addCSPFilter("report", cspFilterProperties.getReport(), REPORT_CSP_FILTER_NAME, context);
                     }
-
 
                     // Issue 48426: Allow config for desired work directory
                     if (contextProperties.getWorkDirLocation() != null)
@@ -198,6 +191,23 @@ protected TomcatWebServer getTomcatWebServer(Tomcat tomcat)
                 return super.getTomcatWebServer(tomcat);
             }
 
+
+            private void addCSPFilter(String disposition, String policy, String filterName, StandardContext context)
+            {
+                FilterDef filterDef = new FilterDef();
+                filterDef.setFilterName(filterName);
+                filterDef.setFilter(new ContentSecurityPolicyFilter());
+                filterDef.addInitParameter("policy", policy);
+                filterDef.addInitParameter("disposition", disposition);
+
+                FilterMap filterMap = new FilterMap();
+                filterMap.setFilterName(filterName);
+                filterMap.addURLPattern("/*");
+
+                context.addFilterDef(filterDef);
+                context.addFilterMap(filterMap);
+            }
+
             // Issue 48565: allow for JSON-formatted access logs in embedded tomcat
             private void configureJsonAccessLogging(Tomcat tomcat, JsonAccessLog logConfig)
             {
@@ -764,27 +774,27 @@ public void setSmtpAuth(String smtpAuth)
     @ConfigurationProperties("csp")
     public static class CSPFilterProperties
     {
-        private String disposition;
-        private String policy;
+        private String enforce;
+        private String report;
 
-        public String getDisposition()
+        public String getEnforce()
         {
-            return disposition;
+            return enforce;
         }
 
-        public void setDisposition(String disposition)
+        public void setEnforce(String enforce)
         {
-            this.disposition = disposition;
+            this.enforce = enforce;
         }
 
-        public String getPolicy()
+        public String getReport()
         {
-            return policy;
+            return report;
         }
 
-        public void setPolicy(String policy)
+        public void setReport(String report)
         {
-            this.policy = policy;
+            this.report = report;
         }
     }
 }